DNSSEC 5th May 2010 at 17:00 UTC | is this another Y2K?

A little known event occurs Wednesday. The 13 root nameservers that run the internet by ensuring those obscure numeric IP addresses resolve as friendly english words for us, are getting a security upgrade.

DNSSEC is designed to solve a flaw in regular DNS used by the root servers to date. When you type in your url, a check is run through DNS servers to obtain the numeric IP address which then locates the site you are seeking. As clunky as it sounds this happens very quickly in milliseconds. It does this by caching the dns information held at the root nameservers closer to your computer, at hosting services, ISP’s etc.

The security issue arises whereby bad guys can intercept the request to the DNS server by pretending to be one themselves. Then your friendly bank URL can be directed to the bad guys server and while it looks like your bank in fact you are handing off your credentials to bad guys.

DNSSEC adds a security layer to the DNS request, which is intended to maintain its validity by keeping a chain from the root servers all the way out to the ISP DNS servers. There is much debate over the workability and even the viability of this exercise. It has been debated for over 15 years. Time will tell – that is not my issue today. The issue this week is that DNSSEC is being rolled out and only a few DNS systems have installed DNSSEC. A related issue is the size of packets used for DNS. DNSSEC uses a 512 bytes limit. There are protocols for how to treat those over that size but from my reading over the last few weeks it seems that treatment is not consistent, and this is the most likely cause of problems when the change is made.

No-one is quite sure what will happen on DNSSEC day +1.

Today it appears that some services are having DNS issues and one can only conclude that there is a problem brewing. Expect choppy waters over the next few days.